[yori]

How about this? Write your bug report. Sign the bug report with your private key. Anonymously publish the bug report, the signature and the public key. Later when required, prove that you wrote the bug report by using your private key to sign a new message or a challenge message sent by any challenger.

[lawn]

This could work, as long as you trust the ones you file your bug report to. This isn't always the case for white hat hackers who interact with big corporations for example. You also don't always want to disclose the actual vulnerability beforehand to everyone either, to give them time to fix them.

If these things don't hold then you still need to find a trusted way to publish your hash or encrypted message so you can get your timestamp.

[RL_Quine]

The idea is to replace social proof (that the timestamps are correct wherever it is published) with cryptographic proof, but I commented below on some of the pitfalls of doing so.

[yori]

I provided a cryptographic proof that does not require blockchain.

[RL_Quine]

No, yours relies on social proof (the post being public somewhere) as the timestamp. Nothing about what you described is different from just posting a hash of the prediction beforehand.